[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Office 365 Cutover Migration - Logistics and Post-Migration Strategy

Posted on 2015-01-19
23
Medium Priority
?
1,069 Views
Last Modified: 2015-02-09
Greetings.  I'm getting ready to complete our cutover migration (using Microsoft's migration batch).

I've been told that the best way to finalize this is to switch our MX records (Autodiscover, too) on a Friday night, confirm mail routing to Office 365, then assist users on Monday morning.  I am presuming the suggestion implied that users should switch to Outlook online after the MX switch is completed (some time late Friday or early Saturday - we use Network Solutions which is pretty quick with this).

Questions:
1. We have 70 users, all with laptops, all out of the office on the weekends.  Is it preferable to actually stop MS Exchange services on our On-Premises server after the MX record switch ? When they come in Monday morning, we'll be waiting for them, but over the weekend, they may try to create messages in their current Outlook profiles vs. using their Office 365 online Outlook.

2. Once the MX record (and Autodiscover) are switched, does the migration batch still communicate with the on-premises server for incremental updates ? (this isn't really clear in any of the documentation I read). If so, and if I should let it continue for another day or so, that would preclude Question 1 above, yes ?

3. I have a password sync (third party) in place, so I don't need to maintain the on-premises server for dir sync at this time. I don't want to fully power it off though. Are there certain services I should stop right after the migration is completed that would not interfere with Question 2 above ?

Thanks much.
-Stephen
0
Comment
Question by:lapavoni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
23 Comments
 
LVL 19

Expert Comment

by:R--R
ID: 40558667
Which Exchange server are you using on-premises.
Once you change the MX record. Run the sync again and sync the delta changes.
Once done create the autodiscover record for office 365.
Then configure outlook.
0
 

Author Comment

by:lapavoni
ID: 40558794
Exchange 2010 (SP3). Have you done a Cutover migration ? There's no manual "sync" to run. The migration batch does incremental syncs until you delete the batch. I'm hoping an expert out there knows if the incremental syncs continue after you change the MX record or if the migration batch is dependent upon the MX record (and Autodiscover) to continue doing the incremental syncs.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 40559290
Incremental syncs will continue to sync after changing the MX records until you stop the batch manually.

What I normally do is stop the sync, then once it has stopped, start it again just before switching the MX records, then once it has finished the sync, change the MX records and stop inbound mail coming to your Exchange server.

You can then disable the mailboxes on your Exchange Server knowing that nothing else will arrive, remove the Autodiscover virtual directory using Exchange Management Shell and then setup the local users mailboxes and that will stop users from trying to send new emails out.

Come Monday you can help them configure Outlook for 365 knowing that DNS will have replicated and Autodiscover will find 365 and not your server.

Any mobiles can be changed on the Monday or over the weekend if people need to continue to email, but using 365 not your Exchange server.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:lapavoni
ID: 40559942
Excellent, Alan. Thank  you. I understand every suggestion except:  " ... and then setup the local users mailboxes".  Not sure what you mean there.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40559972
Sorry - I meant configure Outlook for the 365 accounts on the users laptops - but then after I wrote that I re-read your question and saw that the users are remote and forgot to remove that bit!

So basically - once you have disabled their Mailboxes (DON'T Delete them as that will delete the mailbox AND the AD account), Outlook on their computers won't work - or at least it will, but they may try to send emails and they will sit in their Outboxes.

You will have to remind them all NOT to send out emails after a specific time (after you have disabled their mailboxes) or their messages won't send and will be lost!
0
 

Author Comment

by:lapavoni
ID: 40560147
I've done many "remove-mailbox -permanent" stuff, but that's a good reminder :-)

Since they have cached profiles, there's really no way to prevent them from sending, other than good communication before the switch. I was hoping otherwise, but that will have to do.

Thanks much.
0
 

Author Closing Comment

by:lapavoni
ID: 40560149
Outstanding advice. Thank you much.

-Stephen
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40560159
No amount of reminding them not to will prevent them from trying - they are users and we all know what they are like ;)

A lot of mail servers will pick up on the MX changes quite quickly but cutting off mail-flow to your server usually makes sure that nothing will get missed and give you / your users a headache.

If you get stuck anywhere whilst making the switch - just post another comment and I'll hopefully not be too far away.

Alan
0
 

Author Comment

by:lapavoni
ID: 40560170
Thank you much. I've got a team of two "helpers" in the office to create user profiles (probably Feb. 9th.) for about 50 users. I'd estimate about 10-12 will be on the road or in home offices, so I think it should go well.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40560183
No probs - always good to not be alone.  Happy to be a 3rd helper (if you need it).

We have a few hours difference between us (I'm in the UK) but that's never been an issue before.
0
 

Author Comment

by:lapavoni
ID: 40563647
Alan, since I do have your expert ear :-), I have one question for you re: public folders.  We have 19 public folders, 2 of which are calendars (Exchange 2010 SP3). I manually created these in Office 365. There really is not much content in them, with the exception of our Staff Out of Office calendar. My plan was to export each one to a PST and simply import the content back from my Outlook client.  Regarding the calendar-type ones, do I change the content type for the folder first ? Or if I do an import, does the folder know from the import to display calendar content ?  Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40563804
I would change the type first - just to err on the side of caution.  Default is Mail and I've not tried importing calendar items to a default folder before to see what happens!
0
 

Author Comment

by:lapavoni
ID: 40595266
Hi Alan.  I'm in the midst of my cutover migration.  All is well so far.  I am afraid I might have done something out of order, though.  I changed the Autodiscover in DNS along with our MX records.  I'm not sure if the incremental sync relies on autodiscover pointing to our on-premise Exchange server.  If that is indeed the case, then I'll have a few upset employees missing one day's worth of e-mail.  In the rare chance you're awake, feel free to comfort me or break the bad news.

Thanks much.
-Stephen
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40595600
As long as you don't stop the sync, you should be fine.  I have seen the sync complain though once Autodiscover has been changed, but as long as it is syncing, then it should continue because it doesn't have to find the place to sync with.

Hopefully I'm not talking rubbish here!!
0
 

Author Comment

by:lapavoni
ID: 40595622
It wound up choking on every user. I called MS. We stopped the batch and restarted and that seemed to do the trick. One user had a sync fail and another had a name mismatch because I changed the login name. Of course it was our CEO. Neither had much mail from yesterday, so I just exported to PST and imported.

Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40595739
Ouch!  Why is it always the key players??

Ah - the old restart the batch file trick!!

Hope it's all plain sailing from now on.

Alan
0
 

Author Comment

by:lapavoni
ID: 40596480
But wait, there's more !  Now my mail-enabled public folders can't accept email from external senders. I guess Microsoft beefed up security a while back to reject all anonymous posting to public folders. I followed the supposed fix to change permissions for anonymous to "Contributor", but that didn't work. I've read that changing the Accepted Domain from Authoritative to Internal Relay should fix the problem, but I don't know if that's a good idea, as it then doesn't check for valid recipients, right ? What are your thoughts ? I'm awaiting a call from MS again. They haven't harmed anything, but haven't been overly helpful either :-)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40596713
Yep - they tweaked some settings.

You need Powershell to run the following command (per email-enabled Public Folder):

Add-PublicFolderClientPermission -Identity "\My Public Folder Name" -User Anonymous -AccessRights CreateItems
0
 

Author Comment

by:lapavoni
ID: 40596999
I tried that, to no avail.  It turned out that I did need to change the Accepted Domain type to Internal Relay.  All seems well.  Thanks for your replies and suggestions, Alan.  You're a nice Expert :-)
0
 

Author Comment

by:lapavoni
ID: 40597039
Hmmm, Microsoft has a lot of chicken-or-egg issues here.  I solved the mail-enabled PF issue by changing to Internal relay.  However ... now when an e-mail is sent to a non-existent user, the NDR shows up as:

Remote Server returned '554 5.4.14 Hop count exceeded - possible mail loop ATTR1'

With the entire loop in the message.  Not a show-stopper, but not helpful for outside senders :-(
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40597329
Why would you have to change the accepted domain to Internal Relay - that doesn't make any sense!?!?!?

Pretty sure that the permissions was all that needed changing for our customers that faced the same issue.

Always happy to help :)
0
 

Author Comment

by:lapavoni
ID: 40597349
I read that also, but for many users even the Anonymous permission fix doesn't work.  Since Internal Relay allows e-mails to addresses that are not AD "recipients" ... i.e. not Edge Blocked, they allow public folder e-mail addresses to receive external messages.  I know, it's crazy, but that fix worked.
0
 

Author Comment

by:lapavoni
ID: 40600106
I think I can sleep now :-). We created new Outlook profiles for about 90% of our users today. No problems at all with that. The only unexpected thing today was a weird one - a public folder calendar that I manually imported from PST changed the "last modified by" note on each appointment to Me :-)  so no one can delete their existing entries. I could give everyone full permission, but would rather avoid that. Not really a big deal.

So I'm managing all mail users, proxies, etc. in the online Exchange Admin center .... or via power shell. I'm using a third party utility to synchronize passwords.  Question: is there any reason to maintain my on-premises Exchange server ?  I know if I were using ADSync and I removed disabled the users' Exchange accounts, I'd lose their SMTPs and proxy addresses, right ? But since I'm not doing that, I can eventually decommission the a Exchange 2010 server.  Should I not disable the Exchange accounts and  simply power off the server ?

Thanks.
Stephen
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question